{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-06-28T05:43:06.467","vulnerabilities":[{"cve":{"id":"CVE-2024-21878","sourceIdentifier":"csirt@divd.nl","published":"2024-08-12T13:38:15.107","lastModified":"2026-06-17T07:10:19.647","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in Enphase IQ Gateway (formerly known as Envoy) allows OS Command Injection. This vulnerability is present in an internal script.This issue affects Envoy: from 4.x up to and including 8.x and is currently unpatched."},{"lang":"es","value":"La neutralización inadecuada de elementos especiales utilizados en una vulnerabilidad de comando (\"Inyección de comando\") en Enphase IQ Gateway (anteriormente conocido como Envoy) permite la inyección de comando del sistema operativo. Esta vulnerabilidad está presente en un script interno. Este problema afecta a Envoy: desde 4.x hasta 8.x inclusive y actualmente no está parcheado."}],"affected":[{"source":"csirt@divd.nl","affectedData":[{"vendor":"Enphase","product":"Envoy","defaultStatus":"affected","versions":[{"version":"8.x","lessThan":"8.2.4225","versionType":"semver","status":"affected"},{"version":"7.x","versionType":"semver","status":"affected"},{"version":"6.x","versionType":"semver","status":"affected"},{"version":"5.x","versionType":"semver","status":"affected"},{"version":"4.x","versionType":"semver","status":"affected"}]}]},{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","affectedData":[{"vendor":"enphase","product":"envoy","defaultStatus":"unknown","cpes":["cpe:2.3:h:enphase:envoy:*:*:*:*:*:*:*:*"],"versions":[{"version":"4.0","lessThan":"8.2.4225","versionType":"semver","status":"affected"}]}]}],"metrics":{"cvssMetricV40":[{"source":"csirt@divd.nl","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:P/AU:Y/R:I/V:C/RE:H/U:X","baseScore":9.2,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"HIGH","attackRequirements":"NONE","privilegesRequired":"NONE","userInteraction":"NONE","vulnConfidentialityImpact":"HIGH","vulnIntegrityImpact":"HIGH","vulnAvailabilityImpact":"HIGH","subConfidentialityImpact":"LOW","subIntegrityImpact":"LOW","subAvailabilityImpact":"LOW","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"PRESENT","Automatable":"YES","Recovery":"IRRECOVERABLE","valueDensity":"CONCENTRATED","vulnerabilityResponseEffort":"HIGH","providerUrgency":"NOT_DEFINED"}}],"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","baseScore":9.8,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":3.9,"impactScore":5.9}],"ssvcV203":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","ssvcData":{"timestamp":"2024-08-12T14:27:02.414547Z","id":"CVE-2024-21878","options":[{"exploitation":"none"},{"automatable":"yes"},{"technicalImpact":"total"}],"role":"CISA Coordinator","version":"2.0.3"}}]},"weaknesses":[{"source":"csirt@divd.nl","type":"Secondary","description":[{"lang":"en","value":"CWE-77"}]},{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-78"}]}],"configurations":[{"operator":"AND","nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:enphase:iq_gateway_firmware:*:*:*:*:*:*:*:*","versionStartIncluding":"4.0","versionEndExcluding":"8.2.4225","matchCriteriaId":"045C0178-42FE-4511-A182-AF3BA9545EF0"}]},{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":false,"criteria":"cpe:2.3:h:enphase:iq_gateway:-:*:*:*:*:*:*:*","matchCriteriaId":"75882BE4-CF58-44B5-BA30-DD13BDFF78C0"}]}]}],"references":[{"url":"https://csirt.divd.nl/CVE-2024-21878","source":"csirt@divd.nl","tags":["Third Party Advisory"]},{"url":"https://csirt.divd.nl/DIVD-2024-00011","source":"csirt@divd.nl","tags":["Third Party Advisory"]},{"url":"https://enphase.com/cybersecurity/advisories/ensa-2024-3","source":"csirt@divd.nl","tags":["Vendor Advisory"]}]}}]}